Twitter used private user phone numbers to target ads

Twitter announced in a recent blog post that the email addresses and phone numbers that users provided for two-factor authentication might have “[i]nadvertently been used for advertising purposes.”

Specifically, the platform’s Tailored Audiences and Partner Audiences advertising systems used the data. Twitter further stated, “We cannot say with certainty how many people were impacted by this.”

A Transparent Apology

The popular social media forum reported its security misstep “[t]o be transparent” and to “[m]ake everyone aware.”

Advertisement

Tailored Audiences allows advertisers to target ads to customers based on marketing lists that they generate using private databases of email addresses and phone numbers. Partner Audiences provides very similar features, but third-party partners populate the service with customer lists.

Twitter admitted that the error occurred after an advertiser uploaded its marketing list. The firm explained that it might have used account holders’ email addresses and phone numbers that were provided for “safety and security purposes” to match users to the advertising list.

Fortunately, Twitter stressed that it did not share any personal user data with its external partners or other third parties.

Furthermore, the company notes that it has addressed the issue at the root of the problem. As of September 17, Twitter claims that it is no longer using two-factor authentication data for advertising purposes.

The platform apologized for its actions saying, “We’ve very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”

People expressed confusion about Twitter’s purpose for a long time. The firm’s CMO, Leslie Berland, finally summed up the reason that the platform exists in a speech at CES 2017. “Twitter shows me what’s happening in the world.”

Thankfully, Twitter is confident that its recent mistake won’t impact users. However, the site does encourage anyone who has questions about their account to contact the company’s Office of Data Protection via an online form.